Cost Of A Data Breach: State of Utah Fires Tech Director Over Medicaid Breach

In a move to restore public trust after 780,000 people were involved in a data breach, the governor of Utah has fired the state's top IT guy. I cannot recall any other instance where someone who was not directly involved in a data breach was fired for being remiss in his duties. I also hear that something akin to drive encryption software like AlertBoot will be used to secure data on servers.

Biggest Utah Data Breach to Date - A Summary

A summary of what happened, since I haven't previously covered the Utah Medicaid data breach:

According to fox13now.com, on March 10, hackers attached the Utah Department of Health servers. On March 30, the hackers started downloading data -- which ultimately included names, addresses, and SSNs for 780,000 Utahns -- and the government's IT department caught on to it on April 2.

On April 4, the government announced the data breach, claiming that 24,000 people ("claims") were affected.

On April 6, the figures were revised the figure to 181,604 people (with 25,096 having their SSNs affected). It was explained that the initial 24,000 claims did not correspond to people, but to files, which could contain claims on hundreds of people.

On April 9, the figure was revised to 780,000 people, with 280,000 having SSNs stolen and 500,000 people having less sensitive data stolen.

Notably, the April 9 notice from the state remarks that (my emphasis),

The data breach initially occurred on Friday, March 30. A configuration error occurred at the password authentication level, allowing the hacker to circumvent DTS’s security system. DTS has processes in place to ensure the state’s data is secure, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again.

Later, it was revealed that the so-called configuration error was a weak password. Actually, it was more than a weak password: it was the default password.

Director of the Department of Technology Services Asked to Resign

Due to the public outcry over the data breach, the Governor was forced to make a number of decisions, including firing Utah's head IT guy. He also announced hiring a public relations firm to manage the crisis, and also promised that information would now be protected with encryption when at rest in servers, in addition to when the data is in transit.

Other interesting facts:

The state has engaged a contractor to conduct an independent security audit of the state’s information technology systems. There also is a contract to monitor efforts to contact and notify victims. Together, those jobs are estimated to cost about $1.3 million. [sltrib.com, my emphasis]

So, it looks like Utah's data breach will cost at least $1.3 million, plus whatever is spent on first-class mail and the cost of offering free credit monitoring to 780,000 people (the take up rate is usually in the single digits to the mid-teens, but there have been cases where nearly 33% of people take up the offer. Of course, all of this comes out of the taxpayer's pockets.

And, it was revealed that the breach was bigger than it was supposed to because the state kept information around for too long (my emphases):

Medical clinics used the server to validate claims of retirees on Medicaid and others. The stolen information included birth dates, addresses, and in some cases, Social Security numbers... State officials have said the information should have been deleted from the server once a claim was validated, and should not have been retained as records. [businessweek.com]

You Can't Be 100% Safe, But This is Ridiculous

Data breaches will happen; you can never be one-hundred percent safe from a data breach. It's a fact of life, like death. But, there are breaches and there are breaches. To find that the root reason for a data breach is someone in the IT department foregoing the process of changing the default password is....dumbfounding, to say the least.

I'm not sure if I can agree to the IT honcho getting fired (I have mixed feelings, and this looks more like a policitical move than anything), but someone definitely ought to be. But, if you're firing the head IT guy, you might as well fire the guy who actually caused the breach in the first place. Otherwise, it'd be like firing the CEO of a taxi company because someone was run over by a company cab, but keeping around the actual cab driver who ran over the poor victim. Actually, make that a drunk cab driver because that's how stupidly irresponsible it is not to change the default password to a server connected to the internet.

The linchpin that allows encryption software to do what it does best -- protect data -- is, realistically, the password. Certainly, the encryption algorithm's robustness is important, but generally the weak link in the chain tends to be people choosing their passwords. As such, we know over here at AlertBoot the importance of preventing people from using weak passwords by providing administrators a way to set up password policies. There's an entire industry built around password security.

And here you have a situation where nearly one-third of Utah's residents were affected because some guy forgot to change a password from what I imagine was "12345" or "administrator" to something more acceptable. And, the magnitude of the insanity was covered by wrapping the details under the cover of a euphemism, "configuration error."

Gee, anyone wonder why the people in Utah are so angry? It's one thing to experience a data breach because "it happens to everyone" and something else to find that you were affected because your data custodians were essentially "asking" for a data breach.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.